# Dirb nikto wpscan etc ## Your Brain * Investigate Clues: * /wordpress/ ... very fertile ground for an attack. User access = shell. * /phpmyadmin/ ... suggests there is a database ready to plunder. * /info.php .... gives us Kernel, hostname and OS information immediately. ## Autorecon * multi-scan-tool runs nmap, gobuster, and more ``` sudo python3 autorecon.py $IP -o /home/beep/ ``` ## Find neighbors: netdiscover ``` sudo netdiscover -r 192.168.10.0/24 netdiscover -r 192.168.10.0/24 ``` ## Masscan ``` masscan -p22,80,443,445,1433,3389 --rate 15000 10.0.0.0/8 Fast enough, without causing DOS 1433 SQL 3389 RDP If you run w/o 'rate', I will be too fast. Be careful masscan pp0-65535 --rate 15000 --output-format binary --output-filename full.mass 10.0.0.0/8 -oL ..List -oJ ..JSon -oG ..Grepable -oB ..Binary - fast but unreadable -oX ..XML -oU ..Unicorn Convert Later: masscan --read-scan full.mass --output-format xml --output-filename full.xml masscan --read-scan full.mass --output-format grepable --output-filename full.txt ``` ## gobuster * If blocked, try [dirsearch ](#dirsearch)or [burp](/02-scanning/burp.md) ``` ------------------------ locate common.txt ..fast/ok locate medium.txt ..catches more gobuster -u http://$IP -w medium.txt gobuster dir -u http://$IP/admin -w ... gobuster dir -u http://$IP/nibbleblog/admin/ -w -o gobuster.log gobuster dir -u https://$IP/ -w ..medium.txt -k gobuster dir -u https://$IP --noprogress --wordlist ..medium.txt -k gobuster dir -u https://$IP -w ..medium.txt -k -x php,txt,bak,conf -f: flag appends / to end of directory -x: file extensions to search for -o: output -k: ignore SSL certificate warnings -a: 'Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0' ------------------------ Shellshock: gobuster dir -u $IP -w medium.txt gobuster dir -u $IP -f -w medium.txt gobuster dir -u $IP/cgi-bin/ -w medium.txt -x sh,cgi,pl,py,php ``` ## dirb ``` dirb http://192.168.50.102 .. WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt dirb http://10.x.x.x/admin -w ..to follow other paths ``` ## nikto ``` nikto -host http://10.137.114.39:1337/978345210/index.php ``` ## dirsearch * Alternative to gobuster ``` dirsearch -e txt,php -u http://$IP -w medium.txt -t 30 -f python3 /opt/dirsearch/dirsearch.py -u http://$IP -w medium.txt -e txt,php ``` ## Wordpress Vuln Scanner - wpscan REF: [Webapp Wordpress](/04-webapps/03-webapp-wordpress.md) ``` wpscan --url 192.168.50.102 ``` ## cmsmap ``` python cmsmap.py -t http://tartarsauce -f W -F --noedb ``` ## wig * WebApp Information Gatherer ``` python3 wig.py http://tartarsauce/ ``` ## whatweb ``` whatweb http://tartarsauce/ ``` ## Netcat Port Scanner ``` echo "" | nc -nvw2 10.10.10.60 20-80 ``` ## PowerShell Ping Sweep ``` PS> 1..255 | % {echo ""10.10.10.$_""; ping -n 1 -w 100 10.10.10.$_ | select-string ttl} ``` ## Public Attack Surface ``` Rumble.run - Internal network scanning Shodan - Public attack surface Censys - Public attack surface Axonius - Aggregate various platforms into one. ``` ## wget ``` > wget -q --server-response http://10.x.x.x X-Powered-By: ASP.NET ``` ## uniscan ``` uniscan -u IP -qweds ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://pentest.mxhx.org/02-scanning/02-dirb-masscan-pings.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.